Posts

Time to Get VERY Concerned about CISA Gutting Governmental Leverage on Corporations over Cyber

Back in August, I wrote a post wondering whether the following clause in the Cyber Intelligence Sharing Act would provide a way for corporations to avoid any government action punishing them for their negligence on cybersecurity.

(D) FEDERAL REGULATORY AUTHORITY.—

(i) IN GENERAL.—Except as provided in clause (ii), cyber threat indicators and defensive measures provided to the Federal Government under this Act shall not be directly used by any Federal, State, tribal, or local government to regulate, including an enforcement action, the lawful activities of any entity, including activities relating to monitoring, operating defensive measures, or sharing cyber threat indicators.

(ii) EXCEPTIONS.—

(I) REGULATORY AUTHORITY SPECIFICALLY RELATING TO PREVENTION OR MITIGATION OF CYBERSECURITY THREATS.—Cyber threat indicators and defensive measures provided to the Federal Government under this Act may, consistent with Federal or State regulatory authority specifically relating to the prevention or mitigation of cybersecurity threats to information systems, inform the development or implementation of regulations relating to such information systems.

(II) PROCEDURES DEVELOPED AND IMPLEMENTED UNDER THIS ACT.—Clause (i) shall not apply to procedures developed and implemented under this Act.

My worry was that a serial hacking target like Wyndam — or even just a company with sloppy security like GM — could immediately share information on a hack (or even a vulnerability identified by security researcher that technically violated a company’s DMCA rights) with the government, and in doing so avoid any further action from the government on that point.

Something similar appears to happen with the Bank Secrecy Act: banks share information and therefore limit their liability for money laundering or supporting terrorists or what have you.

If my concern is correct, it would provide companies that chose not to fix vulnerabilities a way to avoid NHTSA required recalls or FTC lawsuits.

At Computers Freedom and Privacy, I asked the author of CISA, Senate Intelligence staffer Josh Alexander, about the clause.

His only response was to point to this language  permitting disclosure of information.

(a) Otherwise Lawful Disclosures.—Nothing in this Act shall be construed—

(1) to limit or prohibit otherwise lawful disclosures of communications, records, or other information, including reporting of known or suspected criminal activity, by an entity to any other entity or the Federal Government under this Act; or

(2) to limit or prohibit otherwise lawful use of such disclosures by any Federal entity, even when such otherwise lawful disclosures duplicate or replicate disclosures made under this Act.

He emphasized that the government could still respond to unlawful activity. But bad security is not unlawful.

In other words, he had no response to my concerns. Which leads me to believe CISA guts the government’s ability to punish companies that don’t fix their security issues.

I guess that explains why the Chamber of Commerce is so excited about the bill.

This Surveillance Bill Brought to You by the US Chamber of Commerce — To Stave Off Something More Effective

Screen Shot 2015-08-11 at 10.45.57 AMThe Chamber of Commerce has a blog post pitching CISA today.

It’s mostly full of lies (see OTI’s @Robyn_Greene‘s timeline for an explication of those lies).

But given Sheldon Whitehouse’s admission the other day that the Chamber exercises pre-clearance vetoes over this bill, I’d like to consider what the Chamber gets out of CISA. It claims the bill, ” would help businesses achieve timely and actionable situational awareness to improve theirs and the nation’s detection, mitigation, and response capabilities against cyber threats.” At least according to the Chamber, this is about keeping businesses safe. Perhaps it pitches the bill in those terms because of its audience, other businesses. But given the gross asymmetry of the bill — where actual humans can be policed based on data turned over, but corporate people cannot be — I’m not so sure.

Screen Shot 2015-08-11 at 10.46.57 AMAnd therein lies the key.

Particularly given increasing calls for effective cybersecurity legislation — something with actual teeth — at least for cars and critical infrastructure, this bill should be considered a corporatist effort to stave off more effective measures that would have a greater impact on cybersecurity.

That is borne out by the Chamber’s recent 5 reasons to support CISA post. It emphasizes two things that have nothing to do with efficacy: the voluntary nature of it, and the immunity, secrecy, and anti-trust provisions in the bill.

That is, the Chamber, which increasingly seems to be the biggest cheerleader for this bill, isn’t aiming to anything more than “situational awareness” to combat the scourge of hacking. But it wants that — the entire point of this bill — within a context that provides corporations with maximal flexibility while giving them protection they have to do nothing to earn.

CISA is about immunizing corporations to spy on their customers. That’s neither necessary nor the most effective means to combat hacking. Which ought to raise serious questions about the Chamber’s commitment to keeping America safe.

 

The US Chamber of Commerce Is Pre-Clearing What It Is Willing to Do for Our National Security on CISA

Screen Shot 2015-08-04 at 4.11.21 PMSheldon Whitehouse just attempted (after 1:44) to rebut an epic rant from John McCain (at 1:14) in which the Arizona Senator suggested anyone who wanted to amend the flawed Cyber Intelligence Sharing Act wasn’t serious about national security.

Whitehouse defended his two amendments first by pointing out that McCain likes and respects the national security credentials of both his co-sponsors (Lindsey Graham and Max Blunt).

Then Whitehouse said,  “I believe both of the bills [sic] have now been cleared by the US Chamber of Commerce, so they don’t have a business community objection.”

Perhaps John McCain would be better served turning himself purple (really! watch his rant!) attacking the very notion that the Chamber of Commerce gets pre-veto power over a bill that (according to John McCain) is utterly vital for national security.

Even better, maybe John McCain could turn himself purple suggesting that the Chamber needs to step up to the plate and accept real responsibility for making this country’s networks safer, rather than just using our cybersecurity problems as an opportunity to demand immunity for yet more business conduct.

If this thing is vital for national security — this particular bill is not, but McCain turned himself awfully purple — then the Chamber should just suck it up and meet the requirements to protect the country decided on by the elected representatives of this country.

Yet instead, the Chamber apparently gets to pre-clear a bill designed to spy on the Chamber’s customers.

Less than 15 Hours After Winning Senate Majority GOP Started Laying Plans to Grow the Deficit

As I laid out yesterday, Mitch McConnell’s victory lap made it clear he plans to set up ObamaCare — the individual mandate — as a key campaign issue for 2016.

There were another few details from that speech that were very telling.

First, McConnell said he would roll out tax reform — that is, very large tax cuts for corporations. That’s clearly payback for the Chamber of Commerce, which had a very critical role in the GOP’s success, according to this great article from the WaPo.

American Crossroads and the U.S. Chamber of Commerce played aggressively in primaries to boost the candidates they believed could win general elections — including Thom Tillis in North Carolina and Dan Sullivan in Alaska.

[snip]

For much of the primary, Cochran was sleepy and might have been defeated outright were it not for a late push from the U.S. Chamber of Commerce, which aired a pro-Cochran testimonial from football legend Brett Favre on his farm in Hattiesburg, Miss.

[snip]

Despite his corporate pedigree, Perdue was one of the few Republicans running without the backing of the U.S. Chamber. In late 2013, the Chamber’s Rob Engstrom scheduled an endorsement interview with Perdue in Atlanta at 8 a.m. Perdue arrived at 8:35 and did not apologize for being late, according to three people familiar with the exchange. Sitting with his arms folded, Perdue told Engstrom, “I don’t give a damn about the U.S. Chamber.” Perdue put his finger on the table and said, “You’re either going to endorse me right here, right now, or you’re wasting my time.”

Seven minutes in, the meeting was over.

[snip]

It was Republican former Senate leader Robert J. Dole, 91, who first sensed trouble for Roberts. Amid a tour of Kansas, Dole in May called Scott Reed, his 1996 presidential campaign manager and now an adviser at the U.S. Chamber, with a warning. “There wasn’t the enthusiasm I expected for Pat,” Dole said.

Of course, that’s going to leave a hole in the budget. Eliminating the medical device tax — another tweak McConnell promised to make to ObamaCare — will create another hole in the budget.

McConnell revealed part of how he was going to fill it with his response to a question about the Democrats’ filibuster reform. He noted that the Senate doesn’t need 60 to get things done for some issues. He noted they can use reconciliation and push stuff through with just 51 votes.

The GOP has spent 4 years complaining that the Democrats pushed ObamaCare through using reconciliation. But it took just 15 hours after winning the majority for McConnell to make clear that he plans to push through aggressive ideological legislation using the same tool.

Still, all the cutting in the world isn’t going to make up for steep drops in corporate tax cuts. Which means — as always happens when Republicans are in charge — we should expect the deficit to start growing again.

Even as the Costs Become Apparent, Big Business Pushes to Legalize Bribery

Last night, Jefferson County, AL delayed their decision for a month whether to declare bankruptcy or accept a settlement with their creditors and the state. At issue is $3.2 billion in debt, much of it for a sewer upgrade, that got dragged into the financial crash. The current deal would have creditors forgo a third of the debt in exchange for rate increases and the creation of an independent authotiry to run the sewer. County commissioners balked, though, arguing the deal relied on too many contingencies from the state–none of which are guaranteed–and took away any control at the county level. In short, it’s a mess, one that is costing the people of Jefferson County in increased rates and diminished services as the county struggled to find funding mechanisms to pay for the debt.

Yesterday, Reuters did a report summarizing all the bribery that went into the original sewer deal–and noting that JP Morgan hasn’t paid any reputational damage or loss of business for it, largely because it has blamed the deal on corrupt local officials.

JPMorgan Chase & Co. (JPM)’s Charles LeCroy said the key to landing bond deals in Jefferson County, Alabama, was finding out whom to pay off. In one example, that meant a $2.6 million payment to Bill Blount, a local banker and longtime friend of County Commissioner Larry Langford.

“It’s a lot of money, but in the end it’s worth it on a billion-dollar deal,” LeCroy told a colleague in 2003, according to a complaint filed by the Securities and Exchange Commission.

[snip]

Just 21 months ago, JPMorgan agreed to a $722 million SEC settlement to end a case over secret payments to friends of Jefferson County commissioners. The financings arranged by JPMorgan, a package of floating-rate debt and derivatives, exposed taxpayers to the 2008 credit crisis and dealt a blow that may lead the county to approve the biggest U.S. municipal bankruptcy as soon as today.

Read more

Richard Clarke: The Chamber Broke the Law

I’m really deep in the weeds on the Jack Goldsmith memo right now (I should have a weedy post up later).

But in case you’re bored w/bmaz’s rant about the assault on Miranda rights, I thought I’d point to this TP post describing Richard Clarke suggesting that the Chamber of Commerce (funded by foreign sources, he notes) may have broken the law in targeting Chamber opponents.

Clarke denounced the scandal in no uncertain terms. Noting accurately that the Chamber “took foreign money in the last election,” a story also uncovered by ThinkProgress, Clarke said the Chamber had conspired to commit a “felony”:

FANG: Hi. You talked a lot about classifying and recognizing cyber security threats, but you mostly focused on foreign threats. I’m curious about a story that broke last month, that the US Chamber of Commerce, the world’s largest trade association, based here in DC, had contracted or attempted to contract military defense firms like HB Gary Federal, Palantir, and Berico, to develop proposals to use the same type of cyber warfare tactics normally reserved for Jihadi websites against left-wing activists, trade — labor unions, and left of center think tanks here in America. What do you think about that type of threat from a lobbyist or a corporation targeting political enemies, or perceived enemies here in the US?

CLARKE: I think it’s a violation of 10USC. I think it’s a felony, and I think they should go to jail. You call them a large trade association, I call them a large political action group that took foreign money in the last election. But be that as it may, if you in the United States, if any American citizen anywhere in the world, because this is an extraterritorial law, so don’t think you can go to Bermuda and do it, if any American citizen anywhere in the world engages in unauthorized penetration, or identity theft, accessing a number through identity theft purposes, that’s a felony and if the Chamber of Commerce wants to try that, that’s fine with me because the FBI will be on their doorstep in a matter of hours.

Now if only we had Feds anymore that would consider busting big business…

Themis Applies JSOC Techniques to Citizens “Extorting” from Corporate Clients

I have a feeling I’ll be doing a lot of these posts, showing how Hunton & Williams asked “Themis” (the three firm team of HBGary, Palantir, and Berico Technologies) to apply counterterrorism approaches to combat First Amendment activities.

This particular installment comes from an early presentation and accompanying proposal Themis prepared for Hunton & Williams. These documents were attached to an email dated November 2, 2010 sent out by Berico Technologies’ Deputy Director. He explains that the presentation and proposal would be briefed to H&W the following day.

The Powerpoint includes a slide describing the purpose of Themis’ pitch to H&W.

Purpose: Develop a corporate information reconnaissance service to aid legal investigations through the open source collection of information on target groups and individuals that appear organized to extort specific concessions through online slander campaigns.

Now, this is in the period when H&W was only beginning to discuss the Chamber of Commerce project with Themis, long before the BoA pitch. That is, this is the period when they were discussing generalized opposition to Chamber of Commerce.

And of that they got “extortion”? “slander”?

Apparently the team members of Themis–several of whom, as veterans, would have sworn an oath to our Constitution–accepted the premise that union members and poorly financed liberals opposing the wholesale sellout of our politics to private corporations constituted “extortion” and “slander.”

These firms, two of which deny any ill will, were willing to describe political speech–the opposition of working people to the Chamber’s hijacking of our politics–as “extortion” and “slander.”

More shocking to me, though, is where the proposal uses a Special Operations model to describe what Themis planned to do for H&W. On a proposal bearing Berico Technologies’ document header, Themis places their proposed “Corporate Information Reconnaissance Cell” next to a Joint Special Operations Command F3EA “targeting cycle” with this explanation:

Team Themis will draw on our extensive operational and intelligence experience to rapidly make sense of the volumes of data we’ve collected through the application of proven analytical/targeting methodologies.  Drawing on the principles and processes developed and refined by JSOC in the “Find, Fix, Finish, Exploit, Analyze” (F3EA) targeting cycle, we will develop and execute a tailored CIRC intelligence cycle suited to enable rapid identification/understanding, refined collection/detection, focused application of effects, exploitation, and analysis/assessment.

Mind you, this is just a fancy graphic for “analysis”–the kind of stuff civilians do all the time. But Themis–led by Berico Technologies in this case–decided to brand it as a JSOC (Joint Special Operations Command) product, applying an American unconventional warfare model  to targeting political opponents engaging in free speech.

This is a bunch of veterans proposing to go to war against citizen activism on behalf the Chamber of Commerce and other corporations.

The proposal also highlights the JSOC experience of one Palantir team member.

He commanded multiple Joint Special Operations Command outstations in support of the global war on terror. Doug ran the foreign fighter campaign on the Syrian border in 2005 to stop the flow of suicide bombers into Baghdad and helped to ensure a successful Iraqi election. As a commander, Doug ran the entire intelligence cycle: identified high-level terrorists, planned missions to kill or capture them, led the missions personally, then exploited the intelligence and evidence gathered on target to defeat broader enemy networks.

Berico’s statement (from their CEO, Guy Filippelli, whose experience as Special Assistant to the Director of National Intelligence was also highlighted in the proposal) denied they would proactively target any Americans and spun the project itself as “consistent with industry standards for this type of work.”

Berico Technologies is a technical and analytic services firm that helps organizations better understand information critical to their core operating objectives. Our leadership does not condone or support any effort that proactively targets American firms, organizations or individuals.

[snip]

Late last year, we were asked to develop a proposal to support a law firm. Our corporate understanding was that Berico would support the firm’s efforts on behalf of American companies to help them analyze potential internal information security and public relations challenges. Consistent with industry standards for this type of work, we proposed analyzing publicly available information and identifying patterns and data flows relevant to our client’s information needs.

Yet it was Berico Technologies’ Deputy Director who sent out these documents adopting a military targeting approach for responding to citizens engaging in free speech.

The HBGary Scandal: Using Counterterrorism Tactics on Citizen Activism

As I described on the Mike Malloy show on Friday and as Brad Friedman discusses in his post on being targeted by the Chamber of Commerce, the essence of the Chamber of Commerce/Bank of America/HBGary scandal is the use of intelligence techniques developed for use on terrorists deployed for use on citizens exercising their First Amendment rights.

ThinkProgress has a post making it clear that the Chamber of Commerce’s nondenial denials don’t hold up. In this post, I’ll begin to show the close ties between the tactics HBGary’s Aaron Barr proposed to use against Wikileaks and anti-Chamber activists and those already used in counterterrorism.

Barr Says He’s Done this with Terrorists

I will get into what we know of Barr’s past intelligence work in future posts, but for the moment I wanted to look just at his reference to analysis he did on FARC. Barr’s HBGary coder, who sounds like the smartest cookie of the bunch was balking at his analysis of Anonymous for several reasons–some of them ethical, some of them cautionary, and some of them technical. In the middle of an argument over whether what Barr was doing had any technical validity (the coder said it did not), Barr explained.

The math is already working out. Based on analysis I did on the FARC I was able to determine that Tanja (the dutch girl that converted to the FARC is likely managing a host of propoganda profiles for top leaders. I was able to associate key supporters technically to the FARC propoganda effort.

He’s referring to Tanja Anamary Nijmeijer, a Dutch woman who has been an active FARC member for a number of years. And while it’s not proof that Barr did his analysis on Nijmeijer for the government, she was indicted in the kidnapping of some American contractors last December and the primary overt act the indictment alleged her to have committed was in a propaganda function.

On or about July 25, 2003, JOSE IGNACIO GONZALEZ PERDOMO, LUIS ALBERTO JIMENEZ MARTINEZ, and TANJA ANAMARY NIJMEIJER, and other conspirators, participated in making a proof of life video of the three American hostages. On the video, the FARC announced that the “three North American prisoners” will only be released by the FARC once the Colombian government agrees to release all FARC guerrillas in Colombian jails in a “prisoner exchange” to take place “in a large demilitarized area.” The proof of life video was then disseminated to media outlets in the United States.

In any case, Barr is referring to an ongoing investigation conducted by the Miami and Counterterrorism Section of DOJ, with assistance from the DNI.

His “proof” that this stuff works is that it has worked in the past (he claims) in an investigation of Colombian (and Dutch) terrorists.

Read more

From the ChamberPot: A Carefully Worded Nondenial Denial

The Chamber of Commerce has responded to ThinkProgress’ reporting of the Chamber’s discussions with Hunton & Williams about an intelligence campaign against USChamberWatch and other anti-Chamber efforts. It purports to deny any connection with Hunton & Williams and HBGary.

More Baseless Attacks on the Chamber

by Tom Collamore

We’re incredulous that anyone would attempt to associate such activities with the Chamber as we’ve seen today from the Center for American Progress. The security firm referenced by ThinkProgress was not hired by the Chamber or by anyone else on the Chamber’s behalf. We have never seen the document in question nor has it ever been discussed with us.

While ThinkProgress and the Center for American Progress continue to orchestrate a baseless smear campaign against the Chamber, we will continue to remain focused on promoting policies that create jobs.

But it does no such thing.

First, note what they are denying:

  1. The “security firm” referenced by TP was not hired by the Chamber or by anyone else on the Chamber’s behalf
  2. “We have never seen “the document in question”

By “security firm,” it presumably means HBGary, the one of the three security firms involved that got hacked.

Note, first of all, that they’re not denying hiring Hunton & Williams, the law firm/lobbyist which they hired last year to sue the Yes Men. They’re not even denying that they retain Hunton & Williams right now.

What they’re denying is that they–or, implicitly, Hunton & Williams, on their behalf–hired HBGary.

But as I suggested in my last post on this, they are not paying HBGary (or Hunton & Williams) for the work they’re doing right now; they’re all working on spec, to get the business (business which I’m guessing they’re not going to get).

Read more

Hacked Documents Show Chamber Engaged HBGary to Spy on Unions

(photo: Timothy Valentine; Edited: Lance Page / t r u t h o u t)

[Ed: Read the documents about the US Chamber’s plan to spy on unions.]

I noted yesterday how mind-numbingly ignorant analysis of Glenn Greenwald’s motivation as a careerist hack that was provided by HBGary. And if the allegations in the excerpts of former WikiLeaks volunteer Daniel Domscheit-Berg’s book are accurate, HBGary’s analysis about WikiLeaks itself is even more ignorant.

Add in the fact that this “security” company got hacked in rather embarrassing fashion.

Which, I’m guessing, is going to cause the Chamber of Commerce to rethink the spying work with HBGary it apparently has been considering.

Let me start with this caveat: what follows is based on emails available by Torrent. The parties in this affair are making claims and counterclaims about the accuracy of what is in there.

But it appears that back in November the same parties involved in the pitch to Bank of America–Palantir, HBGary Federal, and Berico Technologies working through Hunton and Williams–started preparing a pitch to the Chamber of Commerce. At that point, HBGary started researching anti-Chamber groups StoptheChamber.com and USChamberWatch. At one point, HBGary maps the connections between SEIU, Change to Win, and USChamberWatch as if he’s found gold.

By the end of November, Barr starts working on a presentation outlining the difference between StoptheChamber and USChamberWatch, as well as “a link chart of key people in the distribution of information, background information on each individual and ways to counteract their effect on group.”

On January 13, HBGary believed they had signed a contract.

This afternoon an H&W courier is bringing over a CD with the data from H&W from phase 1. We are assuming that this means that phase 1 is a go (We’ll let you know once we confirm this) and I’m wondering how we will integrate that data. Should we bring the CD over to Tyson’s Corner?

On February 3, law firm H&W came back to the three security firms and told them they’d be doing their Phase I work on spec, until the Chamber had bought into the full project. At that point, the firms put together a plan including a proposed February 14 briefing.

In response, Aaron Barr boasted (as is his wont) that his upcoming presentation at BSides security conference on Anonymous should be proof enough.

Let them read about my talk in two weeks on my analysis of the anonymous group.

Should be proof enough. But willing to discuss.

Which gets us just about to the point where Barr blabs his mouth, this security firm is badly hacked, and the Chamber of Commerce’s efforts to use intelligence firms to investigate activists exposing the Chambers own work is revealed.

I’m guessing HBGary just lost that contract, how about you?

Update: TP has a related take on this, describing more about what the proposal is:

According to one document prepared by Team Themis, the campaign included an entrapment project. The proposal called for first creating a “false document, perhaps highlighting periodical financial information,” to give to a progressive group opposing the Chamber, and then to subsequently expose the document as a fake to undermine the credibility of the Chamber’s opponents. In addition, the group proposed creating a “fake insider persona” to “generate communications” with Change to Win.